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ABOUT KENNEDYS 


“The firm has a deep understanding of the pressures on the client’s bottom-line 
and has developed a reputation for providing straightforward, pragmatic advice.” 


Chambers and Partners 


Kennedys is a global law firm with expertise in dispute resolution and advisory 
services. Founded in 1899, we have a rich history of delivering straightforward advice, 
even when the issues are complex. 


With over 2,000 people and 37 offices globally, including ten offices across the UK, we 
are a fresh-thinking firm and are not afraid to bring new ideas to the table beyond the 
traditional realm of legal services. 


Our lawyers handle both contentious and non-contentious matters, and provide a range of 
specialist legal services for many industry sectors including insurance and reinsurance, 
aviation, banking and finance, construction and engineering, healthcare, life sciences, 
marine, public sector and rail, as well as real estate, retail, shipping and international 
trade, sport and leisure, transport and logistics and travel and tourism. We have 
experience in cyber risks across all of these lines of business. 


We care about helping our clients understand drivers of change and are committed to 
representing our clients” interests in policy-led changes. Our Corporate and Public Affairs 
team examine and provide insights on emerging risks, as well as the impact of legal and 
political shifts on global and local business environments. Our niche focus on insurance 
and disputes permeates every part of our global network and allows us to always offer rich 
and diverse perspectives. 


kennedyslaw.com 


Introduction 


We have a global cyber corporate solutions team consisting of cyber, privacy, litigation and 
corporate specialists. We work with companies across various industries, helping them navigate 


and manage the complex and constantly evolving challenges posed by data sharing and cyber 
risks. 


As a result of the insights gained from our expertise and experience in this area, we welcome 
the proposed revisions to the ICO's data sharing code of practice, but we are of the opinion 
that the addition of more targeted guidance around the mechanics of data sharing will be of 
greater assistance to organisations and individuals. 


RESPONSE 


Q1 Does the updated code adequately explain and advise on the new aspects of data 
protection legislation which are relevant to data sharing? 


O Yes 


Xx] No 


Q2 If not, please specify where improvements could be made. 


Our experience in advising on data sharing across various industries and jurisdictions leads 
us to consider that there is a need for more targeted guidance around the mechanics of 
data sharing. 


Our main observation is that the draft code focuses on and clearly outlines the general 
requirements of the GDPR without seeking to apply those requirements to the specific 
practice of data sharing. 


Rather than an extension of the GDPR, the code would prove even more useful if it was 
more specific on the practicalities of data sharing rather than providing very similar 
guidelines to that of processing. 


Q3 Does the draft code cover the right issues about data sharing? 
O Yes 
No 

Q4 If no, what other issues would you like to be covered in it? 


As raised above, the draft code covers the issues of data processing, in a clear manner. 
However, it would be helpful to draw greater focus to the practice of data sharing. 


As an example, the section on security (pages 46-49) extensively discusses the security 
requirements set out in the GDPR and giving general advice about securing personal data. 
However, there is little detail about the specific security issues that a controller needs to 
consider when sharing data. 


There is a section entitled “What are the security considerations when sharing data?” but 
most of the bullet points under that heading are general points about data security which 
would apply to any processing situation e.g. “make sure you provide a suitably high level 
of security for special category or sensitive data”. There are already multiple sources 
providing general guidance surrounding data security. 


From our experience, what would be helpful would be to provide specific guidance on the 
particular security issues which a controller might face when sharing data. For example: 


- Consider the threshold for sharing the minimum amount of data necessary - e.g. 
how much data does the third party actually need to see? Could the data be 
provided progressively in phases? Likewise could some parts of the data be 
pseudonymised? 

- Consider the method of transmission of the data and whether a more secure 
transmission method could be used - e.g. sharing data from a secure server 
rather than mailing a USB key. 

- Consider what steps could be taken to secure the chosen method of transmission 
- e.g. password protection, encryption, remote wiping of devices. 

- Consider what enquiries should be made about the third party’s security 
measures. 


The draft code does not address data sharing outside of the EEA, and states that further 
information will follow. We look forward to seeing this in due course. 


Q5 Does the draft code contain the right level of detail? 
O Yes 
No 
Q6 If no, in what areas should there be more detail within the draft code? 


As we have raised above, the code extensively considers issues arising from data 
security and data processing, but it could provide further guidance on the specific 
practice of data sharing. 


For example, the privacy by design section could offer examples of well-designed and 
poorly-designed systems and the contrast between them (see our response to Q4 
above). 


To put this into context, some real world scenarios that we have encountered include 
the following: - 


- Ina data breach response situation, we have found that clients are reluctant to 
disclose sufficient information to us to facilitate data subject notification 
process (for example, customer database lists). This has the potential to cause 
unnecessary delays, and clarity on this situation would be helpful. 


- More generally, we are hearing concerns from insurers that they are unable to 
obtain sufficient information from their insured clients in order to assess claims. 
This is often due to a misunderstanding as to the scope of data which can be 
shared in this context. 


Additionally, the above scenarios call into question the potential applicability of Article 
14 of the GDPR as this would lead to a situation where an insurer or solicitor becomes a 
controller of personal data which has not been obtained directly from the data subject. 
Furthermore, the fairness section could offer guidance on what factors might make a 
sharing of data unfair, and/or offer some examples of unfair sharing of data. 


Q7 Has the draft code sufficiently addressed new areas or developments in data 
protection that are having an impact on your organisation 's data sharing practices? 


O Yes 


X No 


Q8 If no, please specify what areas are not being addressed, or not being addressed in 
enough detail 


The privacy by design section could offer examples of well-designed and poorly- 
designed systems and the contrast between them (see our response to Q4 above). 


The fairness section could offer guidance on what factors might make a sharing of data 
unfair, and/or offer some examples of unfair sharing of data. 


Q9 Does the draft code provide enough clarity on good practice in data sharing? 
LI Yes 


XK No 


Q10 If no, please indicate the section(s) of the draft code which could be improved, 
and what can be done to make the section(s) clearer. 


We consider that some of the ‘at a glance’ sections are also generic, and do not reflect 
the content being summarised. The sections themselves discuss practical points such as 
in the ‘Fairness and Transparency in data sharing’ section but the ‘at a glance’ section 
is again on the generic side , rather than offering clearer and more comprehensive 
summary of the commentary below. 


Q11 Does the draft code strike the right balance between recognising the benefits of 
sharing data and the need to protect it? 


O Yes 


X No 


Q12 If no, in what way does the draft code fail to strike this balance? 


The draft Code could do more to address this issue - it refers to the practicalities of 
data sharing without addressing the benefits of sharing data and the need to protect it. 
For example, the ‘common concerns” on pages 11 - 13, are generic and would benefit 
from being more specific. Some statements are too general and do not offer sufficient 
clarity. The three examples are all healthcare related examples and could be broader in 
scope. 


Q13 Does the draft code cover case studies or data sharing scenarios relevant to your 
organisation? 


Yes 


O No 


Q14 Please provide any further comments or suggestions you may have about the draft 
code. 


With regards to our business, Kennedys would welcome more guidance on data sharing 
in legal practice. Specifically regarding sharing of personal data with the court, 
counterparties and witnesses in the context of litigation. There is a brief, albeit helpful, 
case study provided by the Law Society of Scotland that outlines the parties that law 
firms share data with on a regular basis. That guidance coupled with further 
clarification in the draft code would be of assistance. 


The ICO specifies the importance of data sharing in the context of mergers and 
acquisitions, and states that during the process consideration to data sharing should be 
part of the due diligence process, in addition to following governance and accountability 
requirements, however, there is limited focus on the sharing of personal data as part of 
the due diligence process prior to a merger or acquisition. This may be particularly 
pertinent, given the ICO’s recent decision on Marriott’s actions during their acquisition 
of Starwood. 


From an industry perspective, particularly in respect of our insurer clients, we would 
also be interested to see case scenarios within the insurance sector for the purposes of 
underwriting and claims e.g. in the context of fraud prevention and access to medical 
records. This information would also provide guidance to not only the insurance market 
but across the retail finance industry (please also see examples set out at the response 
to Q6). 


Q15 To what extent do you agree that the draft code is clear and easy to understand? 


Strongly agree 


O 

Agree 
O Neither agree nor disagree 
LI Disagree 

LI Strongly disagree 

Q16 Are you answering as: 


LI An individual acting in a private capacity (e.g. someone providing their views 
as a member of the public of the public) 


LI An individual acting in a professional capacity 
On behalf of an organisation 


O Other 


KEY CONTACTS 


